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EXECUTIVE  SUMMARY 


TITLE:  Data  and  Information  Integrity  in  a  Distributed  Environment. 

AUTHOR:  D.  Carl  Abernethy,  Jr. 

The  90's  will  be  the  era  of  Information  Management  in 
Computer  Processing.  Information  Management  demands  the  integrity 
of  data  and  information  that  we  process  and  handle.  As  we  move 
into  this  new  age,  we  are  losing  the  ability  to  ensure  integrity  in 
a  distributed  processing  environment.  This  is  due  in  part  to  the 
proliferation  of  terminals,  workstations  and  the  advent  of 
networking  as  we  move  from  a  centralized  approach  to  data 
processing  and  data-basing. 

Integrity  is  more  than  a  security  issue.  It  encompasses 
accuracy,  correctness,  and  validity  of  data.  Database  development, 
database  management  systems,  networking  of  terminals  and  systems, 
and  the  distributed  environment  of  software  and  information 
compound  integrity  concerns. 

Until  we  recognize  that  information  is  our  most  precious 
resource,  we  will  ignore  the  importance  of  integrity  concerns  and 
their  impact  on  the  computer  world.  This  paper  will  address  these 
issues. 
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CHAPTER  I 


INTRODUCTION 

This  is  the  information  age.  With  the  advent  of  computers, 
computer  systems,  the  prolif eration  of  terminals  and  workstations, 
networking  and  distributed  processing,  the  need  to  ensure  the 
integrity  of  our  data  and  information  is  becoming  critical.  We  are 
being  inundated  with  millions  of  bits  of  data  that  computers  can 
store  and  pass  at  ever  increasing  speeds.  To  alter  the 
arrangement  of  or  remove  any  of  these  pieces  of  data  destroys  the 
original  thought,  conveying  a  different  meaning  or  none  at  all. 
Perhaps  the  easiest  way  to  remind  ourselves  of  the  importance  of 
integrity  is  to  reflect  on  the  childhood  game  of  "telephone."  A 
number  of  people  stand  in  a  circle.  The  first  person  whispers  a 
story  to  the  person  to  his  right  and  this  process  is  repeated  until 
the  story  is  passed  around  the  circle  and  repeated  back  to  the 
originator.  We  all  know  that  the  story  is  changed  or  may  be 
completely  different.  If  the  meaning  and  literal  constructs  ot  the 
story  could  be  maintained  without  change  as  it  passes  from  one 
person  to  the  ne;;t  regardless  of  the  number  of  persons  m  Che 
chain,  then  we  have  information  integrity. 

Although  computer  security  has  been  an  important 

requirement  in  the  military  since  computer  use  began,  it  has  been 
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only  explicitly  recognized  in  nonmilitary  government  and  business 
since  the  late  1960‘s.  Data  and  in-formation  integrity,  on  the  other 
hand,  are  just  now  being  recognised  as  part  o-f  the  security 
environment.  Additionally,  the  disclosure  o-f  information  to  someone 
not  authorized  to  see  it  is  a  major  focus  of  governmental  and 
military  security  and  has  been  a  concern  since  long  before  the 
invention  of  computers.  The  "Department  of  Defense  Trusted 
Computer  System  Evaluation  Criteria"  documents  the  requirements  for 
secure  computer  systems  at  various  levels.  Still,  no  standards  or 
guidelines  are  forthcoming  in  the  area  of  integrity,  even  though  it 
is  recognized  as  a  problem. 

To  protect  our  most  precious  resource  adequately,  we  need 
to  understand  integrity  and  its  implications  and  constraints  in 
several  environments.  This  paper  will  provide  a  working  knowledge 
of  integrity,  its  relationship  to  security,  databases  and  database 
management  systems,  the  impact  of  integrity  in  networks  and  the 
distributed  environment. 


CHAPTER  II 


INTEGRITY 

What  is  data  integrity  and  in-formation  integrity?  To  grasp 
these  ideas  and  the  seriousness  o-f  the  problems  we  -face,  one  must 
understand  what  we  mean  by  integrity  in  both  contexts.  Most  people 
in  the  discussion  o-f  integrity  interchange  the  words  data  and 
information.  We  should  understand  the  distinctions  between  these 
words.  Yet,  in  the  discussion  of  integrity  to  follow,  these 
distinctions  are  not  critical  to  understand  the  importance  of  data 
and  information  integrity.  I  also  will  take  the  liberty  of 
interchange  once  the  distinctions  are  clear.  To  continue  to 
dif ferentiate  between  these  terms  will  be  of  little  benefit  to  the 
reader  as  we  develop  an  understanding  of  integrity  in  the  computer 
environment. 

For  my  purposes,  I  will  consider  a  datum  as  the  lowest  or 
smallest  element  of  an  information  chain.  By  that  I  mean,  a  datum 
will  represent  the  smallest  physical  element  of  unique  value  within 
a  frame  of  reference.  For  example,  if  we  consider  the  written 
words  of  this  article,  the  information  chain  would  be  the  article,  a 
chapter,  a  paragraph,  a  sentence,  and  a  word.  Words  then  become 
the  data  elements  within  this  frame  of  reference.  By  chaining  words 
together  we  create  information  to  convey  different  thoughts.  Yet. 


we  know  that  letters  comprise  words  and 


in  a  different  context, 
within  a  computer  the  binary  representation  of  a  letter  consists  o-f 
a  unique  string  o-f  l's  and  0‘s.  In  a  graphical  sense,  hundreds  o-f 
dots  which  when  physically  aligned  in  an  agreed  upon  format 
represent  a  pictorial  pattern  we  call  a  1  or  0. 

What  then  is  information?  Captain  Jackson,  Chief  of  the 
Technology  Integration  Office,  Air  War  College,  Maxwell  AFB,  Alabama, 
has  postulated  that  "a  common  definition  of  information  is  the 

m 

meaning  humans  assign  to  data.  That  is  datum  has  no  meaning  by 
itself  but  when  put  together  with  other  datum  then  there  is  meaning 
to  the  perceiver."  (1)  The  point  being,  a  frame  of  reference  or 
agreed  upon  standard  and  level  of  precision  must  be  defined  and 
approved.  Approval  needs  to  be  by  all  parties  concerned  wizh  the 
data  elements  or  groupings  of  those  elements  that  comprise 
information. 

Integrity  can  be  defined  as  "those  qualities  which  give  data 
and  systems  both  internal  consistency  and  a  good  correspondence  to 
real-world  expectations  for  the  systems  and  data.  Primarily,  the 

expectation  of  integrity  means  that  systems  and  data  remain 

predictably  constant  and  change  only  in  highly  controlled  and 
structured  ways.  This  concept  of  integrity  is  tied  to  both  an 

internal  and  an  external  consistent  standard."  ‘.2:lo)  Another 

definition  for  data  integrity  is  "the  state  that  exists  when 
computerized  data  is  the  same  as  that  in  the  source  documents  or 
has  been  correctly  computed  from  source  data  and  has  not  been 
exposed  to  accidental  or  malicious  alteration  or  destruction."  (T:ZZ‘ 
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Ronda  Henning  and 


Swen  Walker  expressed 


the  best 


encapsulation  of  the  integrity  concept  in  their  article  "Data 
Integrity  vs.  Data  Security:  A  Workable  Compromise."  They  identified 
six  functional  areas: 

a.  How  correct  we  think  the  information  is, 

-  b.  How  confident  we  are  that  the  information  is  from  its 
original  source, 

c.  How  correct  the  functioning  of  the  process  is, 

d.  How  closely  the  process  function  corresponds  to  its 
designed  intent, 

e.  How  confident  we  are  that  the  information  in  an  object  is 
unaltered,  or  was  correctly  modified,  and 

f.  How  correct  the  information  in  an  object  is.  (4:335) 

We  have  defined  data  and  information.  What  then  is  the 
process  hat  Henning  and  Walker  allude  to?  Process  can  be  defined 
as  the  desired  intent  of  achieving  the  same  results  if  the  same 
code  (software)  executes  repeatedly  with  the  same  input.  We  rely 
and  expert  the  operation  of  our  computer  systems  to  run  properly 
with  known  and  reliable  results.  That  the  correctness  of  the  result 
can  be  guaranteed.  We  classify  this  as  system  integrity.  Yet,  two 
areas  of  concern  are  immediately  identifiable,  the  electromechanical 
device  (the  computer  -  hardware)  and  the  set  of  instructions  (cooe  — 
software)  that  execute  on  the  system.  iianuf acturing  integrity  and 
the  consumer  market  assure  us  of  hardware  reliability.  The  user  or 
consumer  must  then  ensure  that  the  operating  environment  rails 
within  the  manufactures’  specifications  to  maintain  ora'  inteqri*.  y. 
We  now  begin  to  understand  the  high  cost  of  software  development 
in  terms  of  time  and  money.  The  creation  of  instruction  sets  chat 
will  produce  desired,  accurate  results  on  data  is  demanding. 


meticulous  work.  Slipshod  procedures  and  lack  of  standards  rr 
controls  induces  errors  in  the  software  development  process  that 
significantly  impact  the  integrity  of  the  resulting  prod-  set  or  the 
instruction  set  executed.  Developers  of  code  must  be  aware  of  the 
traps  awaiting  them  and  resist  the  temptations  to  produce  code  that 
does  not  ensure  integrity  of  results.  Again,  the  consumer  market 
controls  commercial  software  and  the  demands  of  the  use"  control 
the  evolution  of  internally  developed  code. 

Integrity  in  our  context  embodies  accuracy,  correctness,  and 
validity  of  data.  The  dominant  problem  of  integrity  is  the  problem 
of  ensuring  that  the  data  is  accurate.  We  must  protect  information 
from  eri  ors  in  data  entry,  by  mistakes  made  by  people  manipulating 
the  data  or  by  people  operating  the  system.  Programmers  make 
errors,  s /stems  fail,  and  even  deliberate  actions  are  taken  to 
falsify  data.  we  must  maintain  internal  consistency.  The  sunniest 
way  is  to  prevent  data  modification.  Given  that  change  must  occur 
then  "the  primary  assurance  of  integrity'  is  the  knowledge  of 
authorship."  12:17)  Two  other  internal  consistency  controls  are 
applicable.  One  is  to  constrain  change  through  the  execution  of 

specified  software  that  certifies  the  change  of  data  only  m  a 
specific  way.  Secondly,  to  ensure  change  only  occurs  when 

performed  by  two  different  people  authenticated  to  per  tor m  the 
change.  We  define  this  as  partition  of  change.  <2:17'’  Host 
important!.,  when  re  consider  integrity,  we  also  must  maintain 
external  consistency.  We  must  ensure  the  resultant  outputs  of  our 


processes  match  with  the  expectations  and  relationships  at  the 
outside  world  and  retlect  exactly  those  that  existed  outside  the 
computer. 


—  / 


CHAPTER  III 


INTEGRITY  CONSIDERATIONS 

One  basic  responsibility  of  an  organization's  management  is 
to  take  appropriate  and  reasonable  measures  to  protect  all  its 
possessions.  That  responsibility  must  include  its  information 
assets  as  well.  We  only  now  are  beginning  to  realize  that  it  is  as 
important  to  protect  an  item  o-f  information  as  it  is  to  protect 
money  or  property. 

There  are  typically  five  areas  of  concern  that  historically 
we  consider  as  security  related  but  are  more  specifically  concerns 
of  integrity:  fraud,  loss  of  confidentiality,  inadvertent  damage  to 
data,  malicious  tampering,  and  physical  damage  to  hardware.  These 
apply  to  any  type  of  computerized  operation  where  integrity  is 
important.  Surprisingly  enough,  employees  cause  most  of  the  damage 
m  these  five  categories  not  outsiders.  Yet,  the  press  often 
emphasizes  those  few  crimes  perpetrated  by  criminals  and  hackers. 
The  larger  the  organization,  the  more  chance  e  lists  for  problems  in 
r-ne  area  of  inadvertent  damage  to  data,  malicious  tampering,  and 
possibly  physical  damage  to  the  hardware.  ’5:60) 

One  example  typifies  a  problem  that  led  to  some  earner 
prosecuted  cases  of  computer  fraud.  The  problem  of  aih.onar.ic 
posting  of  interest  rates  to  bank,  accounts  without  established 
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standards  or  levels  of  precision.  Consider  what  happens  when  you 


divide  22  by  7.  This  may  be  represented  as  3.14,  3.143,  3.1429,  and 
it  goes  on.  The  differences  may  be  subtle,  yet,  exploitation  o-f 
these  di-f-ferences  represented  hundreds  o-f  thousands  o-f  dollars  to 
clever  crooks  be-fore  the  arrival  o-f  standards. 

There  has  also  been  some  concern  expressed  that  large 
corporations  and  even  the  people  within  them  will  not  always  act 
with  the  public  interest  in  mind. 

People  who  have  had  technical  educatic  _>  aren't  o-ften 
well-versed  in  the  ethical  and  social  implication  o-f  how  they 
use  the  technology.  .  .  .  Others  take  a  more  optimistic  view. 

They  stress  the  two  points  that  it  is  not  in-formation 
technology  that  creates  the  problem  but  the  choices  that  are 
made  on  how  to  use  it,  and  that  most  problems  arise  because 
the  new  techniques  have  arisen  in  a  framework  of  old 
institutions  and  attitudes.  (6:21) 


What  position  you  happen  to  take  really  makes  no  difference. 
Information  is  important  and  it  is  as  equally  important  that  we 
protect  it.  The  idea  of  treating  information  as  an  asset  or  more 
specifically  a  commodity  to  be  valued  is  new.  Unfortunately,  we 
have  little  experience  in  dealing  with  this  idea.  Part  cf  the 
problem  stems  from  information  having  some  unique  characteristics. 

-  It  can  be  reproduced,  quickly  and  at  low  cost. 

-  When  information  is  stolen,  you  are  not  usually  deprived  of 
its  use.  What  you  lose  instead  is  the  exclusive  right  to  use 
confidential  information. 

-  Information  can  be  transported  instantly  to  nearly  an /where. 

-  Its  value  is  determined  by  its  useful  life,  sometimes  very 
brief. 

Its  value  does  not  add  up.  Two  copies  of  tne  same 
information  are  not  normally  worth  much  more  than  one  copv. 

These  unique  characteristics  have  created  manv  problems  in 
a  legal,  social,  and  business  system  that  is  not  vet  trul  / 
geared  to  cope  with:  trie  new  order.  Our  institutions  still  are 


oriented  primarily  toward  the  commercial  exchange  of  tangible 
products  and  services,  not  to  the  use — and  misuse — of 
information.  (<b:21) 

The  draft  paper  on  "Trusted  DBMS  Interpretation"  states 
that  "integrity  quite  often  impacts  security  and  that  security  is 
necessary  to  provide  some  aspects  of  integrity."  (7:2)  The 

discussion  of  integrity  intuitively  leads  to  a  discussion  of 
security.  Especially,  those  aspects  of  security  that  involve 
integrity  controls.  In  the  ne::t  chapter  we  will  consider  computer 
security  and  the  implications  of  information  integrity. 


CHAPTER  IV 


SECURITY  CONSIDERATIONS 

Computers  have  become  indispensable  to  almost  every  -form 
of  modern  business  and  government.  This  has  led  not  only  to  an 
increase  in  the  potential  tor  misuse  ot  hardware  and  software  but 
computer  data.  "As  the  importance  of  computerized  data  increases 
for  virtually  every  business,  so  does  the  danger  to  the  security  of 
that  data.  Data  is  under  assault  on  a  number  of  fronts,  and 
figuring  out  how  to  protect  it  is  getting  harder  and  harder.'  '9:136) 
The  people  who  create  and  work  with  computer  products  have  the 
capability  to  alter  or  delete  information  stored  in  computers  or  to 
create  totally  new  information.  The  security  of  this  information, 
and  other  data  stored  in  computers,  is  vital.  Computer  security 
encompasses  the  integrity,  preservation,  authorized  use,  and 
confidentiality  of  data.  This  starts  with  its  generation,  through 
its  entry  into  computers,  automatic  and  manual  processing,  output, 
storage,  and  finally  its  use.  A  primary  motive  for  computer 

security  is  protection  f ram  intentionally  caused  loss.  However,  the 
news  media  frequently  distorts  computer  crime  and  is  guici  to 
publicize  its  occurrence. 

'To  a  good  approximation,  every  computer  in  the  wcrid  is 
connected  tc  every  computer  —  with  few  exceptions."  sa  -  s 
Robert  Morris,  chief  scientist  at  the  National  Security  Agenc  - . 
That  level  of  sharing  brings  with  it  both  great  benefits  and 
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serious  problems.  Computer  users  can  share  information, 

resources  and  processing  power.  However,  using  the  same  links, 
they  can  destroy  or  alter  a  rival's  data,  eavesdrop  on  private 
communications  or  pass  on  insidious  computer  programs  capable 
of  proliferating  like  viruses,  overwhelming  networks  and  taking 
over  computer  operations.  (9:199) 

Now  is  the  time  to  realize  that  we  must  devise  a  basic 
program  that  will  guard  our  information.  Computer  security  plays  an 
integral  role  in  establishing  that  protection.  With  the  prolif eration 
of  personal  computers  (PCs)  the  security  problem  is  oecommq 
intolerable.  It  is  common  for  PC  users  to  pass  around  copies  of 
software  or  down  load  programs  from  electronic  bulletin  boards. 
The  ease  with  which  this  transfer  can  occur  portends  disaster  from 
the  insidious  deployment  of  computer  viruses.  Having  many  PCs 
networked  together  raises  the  spectre  of  maliciousness  to  epidemic 
proportions. 

Tom  Manuel  has  identified  two  distinct  kinds  or  security 
threat.  "Besides  the  older,  ever-present  threat  of  equipment  of 
software  failure  (and  the  related  threat  of  damage  dene  ov 
inexperienced  users),  there  is  now  a  very  real  threat  from  malicious 
users.  That  problem,  in  turn,  breaks  down  into  two  separate 
problems  —  keeping  malicious  outsiders  off  the  system,  and 
preventing  disgruntled  or  criminally  inclined  employees  trem 
attacking  it."  (3:137) 

What  aspects  of  security  need  to  be  addressed"  The 

integrity  issues  that  are  directly  interrelated  to  security  will  be 
identified.  Access  is  the  first  security  problem  that  the  average 
user  encounter s.  It  is  as  necessary  to  limit  who  me..'  use  a 


-12- 


particular  computer  as  it  is  to  control  the  storage  and  retrieval 
or  that  information. 

Control  of  the  physical  environment  is  the  initial  security 
access  mechanism  to  the  computer  and  ultimately  the  data.  The  ne;:t 
level  usually  involves  the  use  o-f  passwords.  While  the  use  o-f 
passwords  has  historically  been  thought  o-f  as  an  adequate  security 
measure,  traditional  password  systems  alone  no  longer  provide  the 
necessary  security  -for  many  commercial,  government,  and  military 
activities.  We  now  need  more  reliable  methods  to  identity  a 
specific  user  of  a  system  not  just  someone  who  has  access  to  it. 

We  find  that  many  operating  systems  do  not  store  passwords 
in  encrypted  files  or  databases.  Gaining  access  to  a  system  may 
gam  you  access  to  passwords  that  in  turn  provide  access  to 
sensitive  data.  This  scenario  may  permit  jumping  from  one  system 
to  another  within  a  network.  Access  may  be  obtained  to  systems 
for  which  you  have  no  access  rights  -e.g.,  an  uncleared  user  may 
gain  access  to  a  system  containing  classified  information  or  access 
to  data  of  a  higher  classification  than  authorized). 

Retaining  a  single  user  password  for  long  periods  of  time, 
invites  either  misuse  or  attack  The  solution  would  be  to  change 
passwords  dynamically  after  each  use.  There  is  aimest  no 
opgortur.it/  to  gam  access  ana  use  the  password  later. 

We  also  must  consider  the  human  aspect  of  password  use. 
Hew  mar./  managers  let  their  secretaries  use  their  passwords  to 
retrieve  electronic  mail"*  Do  we  share  passwords  to  ease  continued 
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operation  at  vacation  time?  How  many  of  us  routinely  employ 


■familiar  personal  details,  such  as  birthdays,  names  at  children,  or 
simplified  patterns  -for  our  passwords?  These  simplifications 
subvert  the  intent  o-f  password  systems  and  make  it  significantly 
easier  to  access  a  system  maliciously.  It  seems  that  the  more 
difficult  a  password  is  to  guess  the  more  difficult  it  is  to 
remember.  If  it  is  difficult  to  remember,  we  tend  to  write  it  down 
and  again  subvert  the  intention  of  password  use  on  a  computer 
system.  Over  reliance  on  a  single  system  for  access  is  foolhardy. 
We  now  have  other  methods  in  addition  to  password  use  to  verify 
access.  These  are  commonly  called  authentication  systems  or  tests. 

If  users  were  required  to  pass  a  combination  of 
authentication  tests,  unauthorized  commandeering  of  other  users' 
privileges  would  be  considerably  restricted.  The  different 
methods  for  achieving  this  combination,  technically  known  as 
"extended  user  authentication,"  fall  into  five  categories.  These 
are:  something  users  know  (like  passwords),  something  users  have 
(like  magnetic  cards  -  tokens/,  something  users  are  (like 
f ingerprints),  something  users  can  do  (like  sign  their  name/,  and 
someplace  users  are  (implemented  via  terminal  identification 
codes  and  other  more  secure  mechanisms).  (10:18) 


If  we  are  to  consider  the  acquisition  and  employment  of 
authentication  technologies  and  systems  we  must  be  aware  of  the 
cost.  The  actual  purchase  and  installation  costs  pale  by 

comparison  to  the  costs  associated  with  defining  user  privileges, 
educating  users,  the  life— cycle  costs  of  maintaining  the  data  base, 
and  handling  of  problems.  Given  that  no  security  system  is 
unbeatable,  authentication  schemes  offc;  =>  positive  step  forward  to 


traditional  password 


Modification  of  information,  and  whether  the  modification 
results  in  information  that  is  in  some  sense  consistent  or  correct, 
are  aspects  of  integrity.  Permission  to  change  or  authorization  to 
modify  is  an  aspect  of  security  control  that  may'  lead  to  a  breach 
of  data  cr  information  integrity.  We  divide  authorization  into  two 
categories.  The  first  is  mandatory  integrity  authorization,  which 
deals  with  integrity  classif ications  reflecting  importance  of  data, 
and  clearances  reflecting  user  trustworthiness.  The  second  is 
discretionary  integrity  authorization,  which  we  base  on  a  user's 
need  to  modify  information.  Both  mandatory  and  discretionary 
integrity  controls  can  protect  data  from  malicious  tampering  and 
destruction.  These  controls  also  protect  from  accidental 
modification  and  destruction  through  operator  error  or  faulty 
software.  (3:264) 

Whether  we  consider  a  single  wori  station  connected  to  a 
computer  system  or  many  workstations  connected  to  a  network  ,  the 
access  problems  are  similar.  Security  problems  on  the  other  hand 
are  not.  Networks  offer  many  avenues  of  access  to  data  to  many 
people.  Some  of  which  may  be  sophisticated  enough  to  subvert  the 
security  systems.  Security  polices  must  be  in  place  to  prevent 
the  natural  disaster  or  the  malicious  attack  that  either-  brings  a 
networi  down  or  restricts  access  to  the  databases.  Should  eacn 

node  of  the  network  maintain  its  duplicate  database"1  Distributed 
dr- 1  abasing  techniques  may  offer  a  solution.  An  v  how,  a  deed 

security  plan  will  include  provision  for  disaster  recover/. 
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In  general,  security  systems  will  control,  through  use  o-f 
speci-fic  security  features,  access  to  information.  These  systems 
ensure  that  only  properly  authorized  individuals  will  have  access  to 
read,  write,  create,  or  delete  information. 

Systems  that  employ  sufficient  hardware  and  software 

integrity  measures  and  permit  processing  of  a  range  of  sensitive  or 

classified  information  are  trusted  computer  systems.  The 

Department  of  Defense  Trusted  Computer  System  Evaluation  Criteria 

identifies  si;;  fundamental  computer  Security  Requirements: 

SECURITY  POLICY  —  There  must  be  an  explicit  and  well-defined 
security  policy  enforced  by  the  system.  .  .  .  there  must  be  a 
set  of  rules  that  are  used  by  the  system  to  determine  whether 
a  given  subject  can  be  permitted  to  gam  access  to  a  specific 
object. 

MARKING  -  Access  control  labels  must  be  associated  with 
objects.  ...  it  must  be  possible  to  mark  every  object  with  a 
label  that  reliably  identifies  the  object's  sensitivity  level 
and/or  the  modes  of  access  accorded  those  subjects  who  may 
potentially  access  the  object. 

IDENTIFICATION  —  Individual  subjects  must  be  identified-  Each 
access  to  information  must  be  mediated  based  on  who  is 
accessing  the  information  and  what  classes  of  information  they 
are  authorized  to  deal  with. 

ACCOUNTABILITY  —  Audit  information  must  be  selectively  kept  and 
protected  so  that  actions  affecting  security  can  be  traced  to 
the  responsible  party.  A  trusted  system  must  De  able  to 
record  the  occurrences  of  security— relevant  events  in  an  audit 
log. 

A3SUF:ANCE  -  The  computer  system  must  contain 
hardware/sof tware  mechanisms  that  can  be  independently 
evaluated  to  provide  sufficient  assurance  that  the  system 
enforces  the  requirements  previously  mentioned. 

CONTINUOUS  PROTECTION  -  The  trusted  mechanisms  that  enforce 
these  basic  requirements  must  be  continually  protected  against 
tampering  and/or  unauthorized  changes.  <7:3) 

The  guidelines  provided  are  meaningless  if  no  one  is  willing 
to  take  action  to  implement  security  practices.  Over  the  /ears, 
public  ignorance  of  information  processing  and  the  technology 
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associated  with  the  computer  revolution  has  been  an  important  part 


o-f  security  defenses-  With  the  ever  broadening  base  of  a  computer 
literate  workforce  and  sophisticated  users,  the  threat  of  abuse  is 
increasing-  Implementation  of  effective  security  procedures  and 
controls  will  only  occur  with  management's  commitment  and  support. 
However,  the  most  rigorous  security  capabilities  can  be  undermined, 
even  if  controls  and  procedures  do  e:;ist,  but  lack  substance. 
Protection  of  corporate  information  is  the  responsibility  of  all 
members  of  the  organisation,  and  becomes  more  critical  as  the  era 
of  distributed  processing  is  upon  us.  It  is  our  responsibility  to 
be  more  diligent  as  we  build  our  databases  and  employ  database 
management  systems  that  control  the  accessibility  of  our 
information. 


-r 


CHAPTER  V 


DATABASES  AND  DATABASE  MANAGEMENT  SYSTEMS 

What  do  we  mean  by  database  or  database  management 
systems  (DBMSs)?  A  database  is  a  collection  of  information  that  is 
related  or  logically  connected.  It  is  organized  in  such  a  manner 
that  data  may  be  retrieved  at  will.  Databases  stored  on  computer 
systems  are  often  referred  to  as  -files. 

DBMSs  are  defined  as  software  packages  that  permit  multiple 
files  to  be  accessed  or  used  simultaneously.  Most  DBMS  packages 
include  a  programming  language  to  design  specific  user  applications. 
Most  will  have  a  menu  interface  that  allows  simple  constructs  or 
databases  to  be  created.  DBMSs  vary  in  power  and  depending  upon 
their  design  (fi::ed  or  variable  length  systems)  will  determine  many' 
of  their  capabilities.  Systems  based  on  a  fi::ed  length  construct 
will  waste  storage  space  and  impose  constraints  on  record  or  field 
size.  Response  time  (time  needed  to  access  data)  for  very  large 
Databases  could  be  slow.  However,  their  advantage  lies  in  ease  of 
L^se  and  are  typified  by  most  commercial  svstems.  Variable  length 
systems  overccme  space  and  length  limitations.  They  are  usually 
more  comple::,  requiring  implementation  by  computer  professionals  or 
highly  trained  users. 
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In  the  early  days  of  data  processing,  almost  all  data  was 
on  removable  magnetic  tapes  or  card  decks.  Security  problems 
associated  with  unauthorised  access,  manipulation,  or  destruction 
were  primarily  of  a  physical  nature.  However,  with  the  arrival  of 
fixed  and  removable  disk  systems,  random  access  processing,  and 
remote  computer  access  (via  communications),  security  considerations 
began  to  increase. 

Data  integrity  in  the  database  management  sense  can  be 
thought  of  as  the  correctness  of  the  data  itself.  Also  included 
are  any  associated  data  structures  and  information  required  to 
access  the  database.  Locking  mec.  anisms  for  the  update  and 
addition  of  information  to  a  database  are  principal  concerns  of 
database  integrity.  If  a  user  is  updating  the  database,  an 
exclusive  lock  mechanism  must  deny  other  users  access. 
Specifically,  if  they  are  attempting  to  update  the  datadase  or 
retrieve  information. 

Today's  database  management  systems  (DBMS)  are  essentially 
multilevel  and  multiuser  data  storage  devices.  These  systems  have 
all  the  potential  weaknesses  one  might  expect  from  a  system 
designed  for  extensive  user  sharing.  They  lack  a  primary  emphasis 
on  security  or  consideration  for  information  integrity.  ':Tr.e 
distinction  between  the  security  responsibilities  of  the  dacaoase 
management  system  and  the  operating  system  is  not  well  defined. 
H  e  responsibilities  of  the  database  management  system  depend  u:,:n 
the  sec  .tritv  colic/  or  the  operating  system."  <3:249) 
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The  installation  of  special  safeguards  provides  sufficient 
multilevel  access  controls  -for  most  DBMSs  but  not  the  integrity  o-f 
the  data.  Within  the  general  purpose  operating  system  environment, 
there  are  two  basic  types  o-f  security  policies  enforced.  Those 
that  provide  some  degree  o-f  discretionary  access  control,  and  those 
that  provide  mandatory  access  controls. 

Discretionary  access  control  is  "a  means  of  restricting 
access  to  objects  based  on  the  identity'  of  subjects  and/or  groups 
to  which  they  belong."  (7:112)  Systems  that  rely  only  upon 
discretionary  security  policies  to  provide  a  secure  environment  can 
be  easily  circumvented.  For  example,  a  user  may  be  able  to  bypass 
the  DBMS's  security  controls  and  access  any  database  directly  from 
the  operating  system.  Thus  permitting  the  database  files  to  be 
read  with  conventional  file  access  techniques. 

Mandatory  access  control  is  "a  means  of  restricting  access 
to  objects  based  on  the  sensitivity  (as  represented  by  a  label,*  of 
the  information  contained  in  the  objects  and  the  formal 
authorization  (i.e.,  clearance)  of  subjects  to  access  information  of 
such  sensitivity."  (7:114)  Attaching  labels  to  data  and  requiring 
clearance  authorization  provides  protection  for  each  user.  For 
example,  a  user  cannot  exist  at  the  top  secret  level  and  modif  y  an 
unclassified  file  even  if  there  is  discretionary  access  to  the  file, 
operating  systems  that  enforce  mandatory  access  control  policies 
afford  the  DBMS  all  the  advantages  of  discretionary  access  control, 
and  add  further  security  controls. 


Most  DBMS  run  on  top  of  the  computer's  operating  system. 
They  normally  allow  the  operating  system  to  control  the  input  and 
output  functions  tor  all  data  transfers  to  the  storage  medium.  The 
user  receives  access  to  the  databases  that  reside  on  the  system 
-for  which  the  password  is  valid,  only  atter  authentication  of  the 
password. 

Even  where  the  DBMS  itself  provides  control  over  access, 
the  end  use  of  the  data  cannot  be  controlled.  Thus,  most  DBMSs  do 
not  provide  sufficient  multilevel  access  control.  The  cru;:  of  the 
problem  is  that  most  operating  system  access  control  mechanisms 
only  guard  the  system,  not  the  data  itself.  There  needs  to  be 
-ome  degree  of  access  control  at  the  file,  record,  field,  and  data 
element  level  for  read,  write,  and  execute  permission. 

Database  management  svstems,  which  first  became  widely 
available  some  20  years  ago,  are,  for  many  users,  the  single 
most  crucial  piece  of  software  they  will  ever  own. 

Minicomputer  and  mainframe  based  DBMS  packages  are  often 
criticised  for  their  incompatible  data  structures  and  inflexible 
user  interfaces;  problems  commonly  associated  with  micro-based 
DBMSs  range  from  slow  performance  to  tneir  inability  to  manage 
sophisticated  programming  tasks.  In  addition,  several  areas  of 
concern  are  common  to  both  classes  of  DBMSs:  a  troubling 
absence  of  data  integrity  and  security  functions,  the  laci  or 
standards,  and  vendors  that  advertise  inherently  nonrelational 
systems  as  relational.  (11:67) 

Distributed  database  management  systems  are  relatively-  new 
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CHAPTER  VII 


NETWORKING 

Computers  were  once  scarce  enough,  and  limited  enough,  that 
communication  between  them  was  impractical  and  unnecessary.  Still, 
as  the  number  o-f  machines  and  users  increased,  the  use  and  demand 
-for  communications  increased.  The  development  of  high  speed  data 
communications  for  both  local  and  wide  area  networks  resulted  from 
the  ingenious  use  of  hardware  and  software. 

Computers  have  changed  dramatically.  Today's  computers 
bear  littie  resemblance  to  the  minicomputers  of  the  1970's.  Those 
machines  required  optimization  in  areas  of  memory  management,  disk 
input/output  (I/O)  control,  and  terminal  I/O.  Today's  machines 

require  optimization  in  network  access  and  use. 

Technology  plays  an  important  role  in  the  security  of 
communications  systems.  Local  area  networks  (LANs),  already  nave 
wide  use  in  the  United  States  and  abroad  for  linking  computer  cased 
systems.  They  represent  another  area  of  information  technology  in 
which  security  and  integrity  issues  receive  little  attention.  LANs 
are  becoming  the  standard  means  of  implementing  distributee 

information  processing  systems.  Securing  these  systems  is  more 
th~.n  a  matter  of  convenience.  It  is  a  matter  of  survived  The 
integration  o-f  computers  and  teleprocessing  network  s  has  incr  eased 
Che  scope  o-f  the  proble.it. 


When  one  person  is  using  a  single  computer  from  a  locked 
room,  there  is  no  security  problem  with  the  possible  exception  of 
electronic  emanations  (Tempest  concerns).  This  observation  is  not 
useful  by  itsel-f,  but  focuses  attention  on  the  alternate  case: 
information  security  problems  arise  as  access  to  computers 
increases.  Because  a  network's  purpose  is  to  extend  access,  they 
inherently  increase  the  risk  to  information  security.  It  is  ironic 
that  extended  access,  the  fundamental  benefit  of  networking,  is  also 
the  source  of  risk:  for  accessing  data. 

It  is  imperative  that  an  organization  focus  special  attention 
on  the  network  environment  and  carefully  evaluate  the  risks  that 
are  unique  to  that  environment.  After  identifying  the  nets  and 
performing  a  quantitative  evaluation  or  the  vulnerabilities  to  loss, 
a  coat  benefit  analysis  will  decide  the  protective  measures  which 
snould  be  implemented.  Preferably,  this  evaluation  needs  to  be  made 


prior  to  the  installation  of  a  network.  Retrofitting  security  and 
integrity  controls  to  an  existing  network:  can  be  expensive. 

Although  network  data  security  has  improved,  the  securit, 
problem  has  net  disappeared,  and  it's  one  that  few  network 
users  and  administrators  can  lqnor  e.  Security  issues  regarding 
personal  computer  based  local  area  networks  have  become 
critical  as  more  and  more  large  corporations  choose  LANs  as 
alternatives  to  the  costly  mainframes  and  mimco.mpu ters  tney 
or.ee  -a vc-red.  '12:136) 
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security  posture.  The  frequency  with  which  hackers  breach  the 
security  of  major  commercial,  government,  and  other  data  centers 
illustrates  the  escalation  of  the  threat. 

"While  the  level  of  security  you  need  always  depends  or  she 
application,  you  can  analyze  your  network's  security  neeos  by 
performing  a  risk  assessment  based  on  the  DoD's  own  guidelines." 
(12:139?  Data  sensitivity,  specifically  in  the  government  arena,  is  a 
most  important  issue.  "You  will  considerably  reduce  the  opportunity 
for  someone  tc  intercept  data  or  intrude  on  the  system,  if  you.  car. 
avoid  any  kind  of  remote  or  real-time  processing  on  your  network. 

.  .  In  the  event  of  a  breach  ...  if  your  data  is  altered  or 

obliterated  or  your  hardware  damaged,  you  can  restore  the  system 
painlessly  to  current  or  near— current  status  from  vcur  backup 
system."  (12:141) 

Virtually  all  of  the  people  involved  in  a  netwon  are 
basically  well-meaning  and  careful.  The  challenge  is  protecting 
them  and  the  system  from  the  tiny  number  who  are  malicious  or 
foolish.  Making  it  impossible  for  the  latter  to  carry  out  their 
nefarious  activities  might  seriously  inconvenience  everyone  else. 
We  must  seel  out  ways  of  controlling  aberrant  activities 
without  impeding  communication.  (13:66) 

Networks  pose  a  unique  challenge  for  security  and  integrity 
considerations.  We  must  ensure  that  only  the  intended  destination 
:s  the  recipient  of  information  transmitted  from  anv  oomt  m  the 
netwcrl  and  nowhere  else.  We  must  ensure  that  the  information 
rare;  red  at  any  point  in  a  networl  is  the  same  m  content  as  the 
data  crar  smacked  (nothing  added,  notrurq  removed,  anc  r-t  mo 
•_ nanoeci).  We  must  ensure  that  ail  components  or  the  netwcr* 


'terminals,  terminal  controllers,  modems,  nodes,  data  links,  and 
telecommunication  lines)  on  the  organizations's  premises  are 
accessible  only  to  employees  with  authorized  access.  We  must 
ensure  that  the  sender  of  the  information  can  verify  that  receipt 
was  by  (and  only  by)  the  authorized  recipient.  We  must  ensure  chat 
the  recipient  of  information  can  verify  that  the  person  from  whom 
the  communication  appears  to  come  is  really  the  person  who  sent  ic. 
We  must  ensure  that  information,  while  in  transit,  cannot  be 
observed,  tampered  with,  or  extracted  from  the  network  bv  some 
unauthorized  person  or  device.  We  must  ensure  that  any  attempt  to 
observe,  tamper,  or  extract  information  from  the  network  a-  an 
unauthorized  person  or  device  can  be  identified.  We  do  this  so  that 
appropriate  action  can  be  taken  to  prevent  future  occurrences.  We 
must  ensure  that  adequate  alternate  paths  are  available  to 
transmit  information  from  any  point  m  a  network  to  any  otr.e-'  tctnc 
to  which  the  need  exists.  And  finally,  we  must  ensure  that  in  the 
event  that  a  failure  of  both  the  primary  and  alternate 
communication  paths  should  occur  an  alternate  means  or 

communicating  critical  information  has  been  identified,  implemented, 
and  tested.  *'!  1:200— 102) 

We  need  to  be  able  to  move  data  and  software  ,<r  c .  o 
network  to  the  most  logical  place  in  the  user  environment.  "r  ;; 

enhances  productivity  and  gives  the  user  more  tie  lbiiitv  m  his 
capabilities.  Distributed  database  sc  s  terns  can  i  eep  treci  o*  a.', 
’.•'formation  on  ail  databases  on  all  computers  in  a  networ*  .  but 


they  can  not  guarantee  the  integrity  of  the  data.  "Easy  access  to 
data  from  multiple,  heterogeneous  remote  database  management 
systems  could  become  a  reality  in  the  not-to-distant  future  if  an 
important  proposed  software  standard  .movement  continues  to  gain 
momentum."  (15:59)  Jeff  Moad  is  referring  specifically  to  Remote 
Data  Access  (RDA)  as  a  standard  protocol  for  accessing  remote 
databases.  The  key  is  that  RDA  assumes  the  use  of  a  single, 
common  Structured  Query  Language  (SQL)  implementation.  There  is 
movement  in  this  direction  as  "users  are  beginning  to  understand 
the  importance  of  a  standard  like  RDA."  (15:63)  SQL  standardization 
is  not  solving  all  the  problems.  Eventually,  any  user  of  any  type 
of  machine  in  a  network  will  have  easy  access  to  data  stored  on 
any  other  machine  in  that  network,  no  matter  which  company  made  ihe 
machine  or  which  operating  system  it  uses.  RDA  could  provide  a 
standard  way  to  access  databases  remotely  over  a  network. 

Personal  computers  have  more  compute  power  today  than 
ever  before.  The  trend  is  to  build  smaller  ones  with  even  mere 
power  than  some  mainframes  in  current  use.  Networking  tr.ese 
together  to  only  gain  access  to  a  central  storage  facility  is  not 
distributed  processing  or  distributed  databasing.  Although  we  realize 
e- 'iciericie?.  in  reduction  of  access  cure,  we  do  not  attain  the  true 
potential  of  the  distributed  environment.  There  is  a  cr  ansi  tier  as 
personal  computer  use  expands  beyond  the  personal  application  inti 
shares  software  as  well  as  data  with  the  mainframe.  vet.  ’-.is 

.  At  sition  increases  cost  and  compounds  the  integrity  issue. 


V 


This  whole  problem  becomes  more  complicated  in  the 
networked  multilevel  sense  in  that  users  at  different  locations  with 
different  authorizations  could  well  be  modifying  attributes  of  the 
same  data  simultaneously.  Networking  has  only  complicated  the 
integrity  issue. 

What  we  are  discussing  is  network  management.  In  practice, 
network  management  means  evaluating  hardware  technologies  with  as 
much  emphasis  on  telecommunications  capabilities  as  on  sheer 
processing  performance.  It  means  developing  systems  level  software 
tools  that  guarantee  network  security  and  create  consistent,  easy 
to  use  interfaces  between  workstations  of  different  power  built 
around  different  architectures.  It  means  implementing  connectivity 
standards  throughout  the  organization  so  that  users  are  free  to 
revise  their  applications  without  jeopardizing  the  company's  entire 
r.etwcrr.  Most  importantly,  the  centralized  support  center  must  set 
the  technological  and  organizational  ground  rules  to  gt  ice  tne 
individual  departments  and  have  the  authority  to  enforce  those 
■guidelines.  In  short,  it  means  setting  technological 
organizational  ground  rules  to  guide  self-directed  computer  user 


and 


CHAPTER  VII 


THE  DISTRIBUTED  ENVIRONMENT 

Managers  today,  are  eager  to  bring  the  latest  technologies 
into  their  environments.  With  the  thousands  of  terminals, 
workstations,  minicomputers,  and  main-frames  now  in  use,  the  need  to 
maximize  the  employment  o-f  these  resources  and  maintain  integrity 
o-f  information  is  compelling.  Many  believe  that  distributee  data 
processing  means  the  spread  o-f  computer  hardware  and  data  to 
multiple  sites  within  an  organization.  Distributed  processing  is 
really  more  than  what  this  implies.  "The  term  distributed  ...  is 
properly  used  to  describe  a  system  in  which  processing  is  shared 
among  several  (or  many)  workstations,  rather  than  centralized  at  one 
location."  (16:79)  This  gets  closer  to  a  good  definition  of 
distributed  processing,  but  I  believe  Frederic  Withington  has 
captured  the  true  essence  of  the  term.  "Real  distributed  data 
processing  requires  the  geographical  division  of  a  data  processing 
application  among  multiple  sites.  It  implies  intercommunication  among 
tne  sites  for  inquires  and  file  updates,  and  sharing  of  processing 
resources,  files,  and  cample.:  data  bases."  (17:105; 

In  terms  of  integrity  and  security  concerns  the  distributed 
or. .  .r  onmer. L  presents  serious  problems  in  concurrency  control  and 
database  modification.  Henning  and  Walker  have  stated: 
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Locking  in  the  distributed  environment  has  to  be  done  very 
carefully  to  avoid  denial  of  service  to  nonlocal  nodes  which  may 
be  doing  retrievals  against  a  database  while  another  user  is 
doing  updates.  .  .  .  The  possibility  of  compromise  increases  when 
data  is  accessed  over  a  distributed  system,  simply  because  the 
user  now  has  access  to  more  than  one  computer  system 
available  for  penetration  attempts.  Denial  of  service  attacks 
are  harder  to  detect  and  differentiate  from  a  normal  database 
lock  on  another  node  or  the  time  spent  in  network  traffic.  The 
preservation  of  label  integrity  and  label  recognition  must  also 
be  addressed.  It  is  also  possible  that  the  problems  associated 
with  data  inference  and  aggregation  will  became  increasingly 
more  compie:;  as  additional  nodes  are  added  to  a  distributed 
system.  In  addition  to  all  of  these  problems,  the  issues  of 
network  security  must  be  considered  in  the  development  of  the 
distributed  database  management  system.  (3:254) 

Only  now  are  we  beginning  to  understand  the  complexities 
and  implications  of  the  distributed  database. 

In  a  system  running  a  distributed  data  base,  not  only  are 
there  multiple  CPU's,  but  the  data  as  well  may  be  distributed 
over  several  mass  storage  devices  located  at  physically 
separate  sites.  The  actual  location  of  any  item  of  data  does 
not  need  to  be  known  in  order  to  make  an  inquiry ,  and  the 
process  of  finding,  retrieving,  and  storing  records  from  t_e 
correct  mass  storage  device  is  completely  transparent  to  the 
users.  '16:79) 

The  key  to  successful  implementation  of  a  distributee 

database  is  the  sophistication  of  the  database  management 

executive  software  and  the  operating  system.  Information  stored  at 

two  or  more  different  sites  needs  to  be  treated  as  a  sinqie  logical 

database.  The  system  should  be  aDie  to  resolve  the  problems  that 

are  associated  with  multiuser  databases. 

It  must  not  permit  two  'users  to  update  the  same  data  -the  same 
field  or  record)  at  the  same  time  or  to  carry  out  conflicting 
giobal  changes  in  a  file.  In  addition,  the  data  base  software 
must  ds  able  to  retrieve  the  requested  data  from  any  ohvsicai 
storage  site,  update  it  from  arr.  other  location,  and  then 
transmit  the  changes  back  to  the  point  of  origin.  *16:S0> 


Frederic  Withington’s  definition  acknowledges  that  data 
processing  is  an  organizational  resource  consisting  of  many  areas 
of  activity.  Each  activity  may  be  executed  or  controlled  by 
various  individuals  at  various  locations  within  the  organization. 
The  act  of  spreading  activities,  or  areas  of  responsibilities  across 
an  organization  is  decentralization  of  computer  processing. 
Managers  need  to  be  careful  as  they  try  to  find  out  what  is 
appropriate  in  terms  of  degree  of  decentralization  for  their 
organizations.  The  question,  how  much  decentralization,  must  be 

resolved  to  maximize  the  efficiency  and  use  of  the  computer 
resources  in  a  distributed  environment.  This  one  issue  alone,  has 
created  more  divisiveness  then  any  other.  As  such,  a  closer 

examination  of  the  causes  needs  to  be  undertaken. 

We  must  be  cautious  as  we  implement  decentralization,  for 
many  perils  await  the  unwary.  If  you  allow  two  or  more  departments 
within  your  organization  to  develop  information  systems  and  write 
applications,  when  you  want  to  consolidate  reports  it  becomes 
difficult  if  not  impossible.  Responsiveness  to  individual  needs 
interferes  with  corporate  level  data  collection  and  analysis.  To 
allow  individual  departments  to  purchase  computer  hardware  and 
specify  fhe  most  needed  applications  also  creates  problems.  Even  if 
/tji.-.r  centralized  applications  center  writes  the  programs  to  ensure 
conformance  to  standards,  backlogs  inevitably  occur.  Frustrated 
•  sers  begin  developing  applications  and  buying  software  products 
than  meet  their  particular  needs.  One  mvariaoly  ends  with  mane 


databases  and  files  that  are  incompatible  or  cannot  be  passed  no 
the  central  computer  complex,  thus  continuity  of  information  and 
data  integrity  are  lost. 

Many  organizations  still  operate  in  an  environment  where  the 
centralized  development  center  governs  transaction  oriented  systems 
and  users  have  limited  technical  expertise.  Applications  tend  to  oe 
simplified  yet  specialized.  The  users  often  lack  the  clout  within 
the  organization  to  voice  or  act  on  any  dissatisfaction  thev  feel 
about  the  system.  The  simplicity  of  the  applications  and  the  lack 
of  expertise  among  end  users  allows  the  centralized  department  to 
maintain  a  tignt  grip  on  computing  systems.  It  trains  and  supports 
users  and  distributes  single,  centrally  developed  versions  of 
software.  To  minimize  response  time  should  be  the  controlling 
element  not  cost  when  deciding  how  to  meet  users'  needs. 

This  environment  suffers  from  several  built-m  problems. 
First,  the  user  may  spend  the  bulk  of  their  day  working  with  she 
computers  but  they  have  little  control  over  how  they  operate. 
Companies  that  base  service  on  minimizing  costs  often  create  long 
bad  logs  for  users  who  seel  to  have  programs  updated  or  me  dined. 
Tver,  when  cost  is  not  an  issue  as  in  many  government  agencies, 
there  is  resistance  for  upgrading  responsiveness  to  users.  The* 
four  .s  that  too  manv  -ersions  of  an  application  mav  under  mire 
software  consistency.  Bad  logs  and  lad  of  responsiveness  breed 
;  o-ic-x  tment.  Ultimately ,  the  classic  information  systems  dilemma 
must  be  faced.  Should  the  centralized  department  expand  x:  : 
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programming  staff  to  make  it  more  responsive  to  users  needs?  Or 
should  it  accept  the  user'  growing  confidence  by  loosening  control 
over  applications  while  requiring  conformity  to  data  and 
communications  standards.  Once  users  reach  a  critical  mass  of 
restlessness,  the  status  quo  is  almost  impossible  to  maintain. 

Developers  need  to  work  closely  with  users  when  writing 
programs  and  discourage  features  that  might  interfere  with  the 
company's  broad  computing  goals.  Central  computing  centers  can  act 
as  software  librarians,  maintaining  programs  and  swapping 

applications  between  offices  and  departments.  Central  departments 
also  must  play  a  mediating  role  as  offices  and  divisions  vie  for 
limited  resources.  Scarce  programming  resources,  particularly  for 
maintaining  existing  applications,  are  a  great  source  of  instability. 

Although  a  centralized  facility  can  define  development 
procedures  in  principle,  in  practice  frustrated  users  threaten 
program  consistency  in  several  ways.  Users  hire  consultants  with 
■or  without  authorization  and  write  programs  or  entire  applications 
that  do  not  follow  guidelines.  The  availability  of  low  cost,  off  the 
shelf  software  also  causes  inconsistencies.  Users  create  databases 
one  files  that  do  not  meet  standards,  thus  becoming  incompatible 
with  existing  programs  or  network  software.  These  poet  ets  of 
.aluable  information  can  introduce  inaccuracies  into  corporate  wide 
data  and  jeopardize  the  smooth  functioning  of  strategic 
applications. 


Organizational  subunits  will  differ  in  goals,  time 

perspectives,  interpersonal  relationships,  and  structure. 
Uncertainty  in  setting  priorities  has  motivated  user  group  managers 
to  seek  control  over  all  system  services  they  see  as  critical  to 
their  operations.  When  it  appears  practical  and  economic,  managers 
who  feel  sufficiently  competent  will  have  strong  motivation  to 
control  and  even  to  run  their  own  data  processing  groups. 

Power  to  make  decisions  often  rests  at  the  level  where 
information  accumulates  and  analysis  occurs.  Since  information 
support  is  a  necessary  condition  for  effective  power,  managers  can 
use  distributed  information  systems  strategically  to  bolster  the 
authority  of  system  users  in  the  organization. 

The  specialization  of  computer  applications,  causes  man. 
organizations  to  over  look  potential,  and  more  general,  roles  for 
information  systems.  Information  systems  are  not  simpiv  labor 
saving  devices  that  support  the  activities  of  people  in  one  or  more 
departments.  They  are  control  and  coordination  devices  that  should 
fit  an  organization's  formal  structure  and  simplify  achievement  of 
its  goals. 

Careful  attention  must  go  into  planning  the  arrangement  or 
the  data  processing  resources  that  develop  and  operate  inf crma tier 
-/stems.  Control  cf  activities  must  be  applicable  m  eitr.e.- 
■develcpmental  or  operational  environments.  Accessing  data  as  a 
developmental  activity  usually  represents  managements'  aesires. 
However,  they  place  restrictions  on  the  kings  of  data  that  will  be 
collected  and  used  within  the 
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Management  can  control  and  coordinate  activities  not  onlv 
by  direct  supervision  but  also  by  establishing  comprehensive 
guidelines  or  standard  operating  procedures.  The  control  of  the 
technical  concerns  of  database  administrators  is  a  typical  example. 
Their  responsibilities  can  be  either  centralized  in  an  individual  cr 
a  group.  They  can  be  decentralized  but  constrained  by  central! v 
designed  standards,  or  they  can  be  decentralized  with  virtual 
independence.  In  the  future,  the  second  approach  probably  will 
become  increasingly  more  important.  Therefore,  the  data  processina 
manager  can  define  comprehensive  standards  that  can  be  enforces  by 
top  managers  or  a  highly  placed  steering  committee.  These 
standards  can  be  used  in  a  decentralized  organization  to  protect 
the  data  processing  department  from  excessive  control  by  the  user. 

Central  processing  units  are  becoming  cheaper  as  ■■  hsv 
become  more  powerful.  Although  these  may  be  somewhat  inexpensive, 
to  maintain  redundant  peripherals  that  may  sit  idle  a  good  bit  of 
the  time  is  not  cost  effective.  With  distributed  processing, 
communications  costs  also  may  increase  as  ail  nodes  must  be 
completely  interactive. 

As  we  are  already  aware,  integrity  errors  can  occur  from 
undetected  erroneous  data  entry-  Errors  also  occur  from  software 
lugs,  from  equipment  or  line  failures,  c.rd  deliberate  aces.  The  use 
cf  a  centralized  system  simplifies  tracing  the  cause  of  the  error. 
Unfortunately ,  the  discrepancy  is  not  often  caught  when  it  occurs, 
ue  need  to  be  prepared  to  trace  the  error  and  restore  the  s.stsm 
to  its  proper  state. 


need  to 


establish  standards  has  been  discussed,  but 


The 

needs  to  be  reemphasized.  Distributed  processing  demands  adherence 
to  standards  as  multiple  systems  interact  in  the  course  o-f  their 
activities.  UJe  must  agree  upon  the  definition  tor  data  elements.  A 
way  to  maintain  data,  whether  adding,  changing  or  deleting  data  is 
necessary.  And,  we  need  to  ensure  redundancy  or  recovery  of  data 
files  if  altered  or  lost.  Our  most  crucial  concern  is  that 

"consistency  on  any  distributed  system  is  critical."  (13:63) 

The  distributed  en vironment  is  here  to  stay  and  supports 
the  idea  of  decentr alization.  Clearly,  there  needs  to  be  a  central 
authority  _o  ensure  that  the  distributed  environment  can  function 
and  maintain  integrity.  This  becomes  critical  for  the  systems 
employed  and  the  data  to  be  shared. 


CHAPTER  VIII 


SUMMARY  AND  CONCLUSIONS 

Information  is  our  most  precious  resource.  As  such,  the 
perceptions  o+  the  initiator  and  the  recipient  decide  the  value  of 
data  and  information.  When  we  consider  the  value  if  information,  we 
-find  that  it  has  truly  unique  characteristics.  The  same  information 
may  have  a  different  value  to  different  people  simultaneous!  and 
even  a  different  value  over  time.  For  example,  the  same  oit  of 
information  may  be  perishable  yet  timeless.  Consider  the  date  and 
time  for  the  invasion  of  Normandy.  To  the  planners  of  the  invasion 
keeping  this  information  secure  represented  the  possible  success  or 
failure  cf  she  mission.  To  a  German  soldier  lying  in  a  fo.-hole  cn 
the  beaches  of  Normandy,  knowing  the  date  and  time  of  possible 
invasion  could  mean  life  or  death.  To  a  historian  the  cate  oni 
repr  esents  a  point  of  passage  or  turning  point  for  humanity. 

Integrity  in  a  computer  system  deals  with  the  consistency, 
accuracy  arid  reliability  of  information  and  cur  ability  to  create  an 
onv  .ran, mer it  to  manage  it.  D a t  ?,  integrity  is  concerned  with  me 
Is  west  element  of  the  information  chain.  ret,  vie  must  ae  aware 
'.Lai  it  is  possible  to  have  data  integrity'  and  not  information 
integrity.  Data  elements  comprise  information.  By  adding  to. 
-hanging,  or  deleting  the  data  element,  we  alter  the  meaning  or 
in  for  mation. 
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Traditional  security  considerations  provide  a  starting  point 
-for  the  discussion  o-f  integrity  issues.  We  need  to  have  a  general 
appreciation  for  information  security.  We  need  to  recognize  that 
threats  to  inf ormational  integrity  are  more  likely  to  occur  from 
accidental  or  unintentional  events.  Yet,  keep  in  mind  the  potential 
for  unauthorized  access,  modification  and  destruction  of  data. 

You  can  take  every  precaution  and  still  suffer  unauthorized 
distribution  of  data,  misuse  cf  information,  accidental 
dissemination,  or  malicious  destruction.  No  stand  alone 
computer  systems,  local  area  networks,  minicomputers,  or 
mainframes  are  ever  completely  safe.  All  you  can  do  is  reduce 
the  chances  and  minimize  the  damage.  (12:141) 

We  must  begin  proper  security  controls.  They  include 
controls  in  the  physical  realm,  the  buildings,  the  rooms,  and  me 
terminals.  We  need  to  have  access  controls,  not  only  to  the  s ,  stem 
but  the  data  that  can  be  obtained  through  the  system.  These 
access  controls  need  to  be  supplemented  with  authentication 
procedures.  We  must  have  database  and  database  management  s  seem 
protection.  We  must  protect  the  connectivity  of  cur  weri  stamen, 
the  networks,  and  communications  that  support  our  systems.  Anc.  we 
must  institute  the  management  controls  to  ensure  the  lnzegrir. .  or 
'me  information  environment. 

Two  critical  points  come  to  mind.  One,  the  information 
network  will  automaticail  /  contain  errors  it  standards  and  le. els  of 
precision  do  net  e.r.st.  Secondly,  without  the  authority  to  entorce 


he  standards  developed 


there  1=  no  need  for  the  standard, 


The  distributed  environment  is  where  computer  use  is  moving. 
This  environment  encompasses  processing  and  databases  which  calls 
for  the  decentralization  of  our  computer  support  organizations.  We 
need  to  be  deliberate  in  our  movement  away  from  centralized  lceas 
and  ensure  that  the  proper  controls  are  in  place  to  guarantee 
integrity  of  data  and  information. 

We  must  look  at  the  ways  we  store  and  retrieve  data.  We 
also  must  be  sura  to  have  the  right  mi;:  of  discretionary  and 
mandatory  access  controls  in  place.  Correctness  of  data  is  the 
primary  concern  of  data  integrity  in  the  database  management  sense. 
Yet,  in  the  distributed  environment,  concurrency  and  access  control 
are  serious  problems.  In  order  to  provide  the  real-time  processing 
and  access  we  desire,  we  must  solve  these  problems. 

Networks  provide  us  the  paths  to  data  and  processing  that 
were  unattainable  just  a  scant  few  years  ago.  Numerous  oroblems 
in  the  security  and  integrity  arenas  ezist  because  of  the  openness 
-nd  accessibility  that  networks  provide.  New  areas  of  vulnerability 
threaten  the  sanctity  of  our  data,  specifically,  those  points  that 
inter  face  with  the  terminal,  the  network,  and  the  communications 
an  vir  omnent. 

We  must  recognize  that  information  is  an  asset,  as  valuable, 
and  as  well  worth  protecting  as  any  other  l  ind  of  property.  We 

■  nest  assess  the  threat  to  this  asset.  We  need  to  determine  wha-. 
:  ;nds  of  information  are  vulnerable,  to  what  kinds  of  threats.  «r  •  J 
-r cm  whom.  Finally,  we  must  choose  the  right  techmaues  -na 
technology  to  meet  the  specific  threat  ana  challenge  of  Cat-  and 
»r.f  u  ina  t  i::n  n  •«  tegr  1 1  ;  . 
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